Before spearheading into the concept of “Mobile App Security Best Practices”, let’s not forget the undeniable fact that thousands of mobile applications for both Android and iOS platforms are being released every day. Post development, mobile applications are being released rapidly with the implementation of Devops technology alone, thus forgetting the whole concern in this deed about the security need. To implement security in the development phase itself, various firms follow practices like SDLC, Secure Code Review and Pen-testing methodologies, but are they all being done?
Even if so, are they all being done effectively in a flawless manner? To implement all the above security concepts in a prudent manner, you can follow the below security best practices.
- Is your communication channel safe?
- Are you trusting Built-in Platform Security?
- Are you following secure code review?
- Are your Apps meeting the Security standards?
- Are you using 3rd party libraries?
- Is your data stored safely?
- Are you doing security testing before releasing the apps?
- Have you deployed tamper detection or RASP in your mobile apps?
- Are your users using patched version or not?
Is your communication channel safe?
Now a days, most of the apps are Hybrids which are sending and receiving the data using web services and from its endpoints. On this basis, every mobile app uses HTTP/HTTPS protocols for the communication of data transmission. On mobile application, intercepting the HTTP/HTTPS traffic itself is a vulnerability and sending the data in HTTP protocol, is an unencrypted communication.
This type of security issue can be addressed by implementing strong encryption protocols and ciphers. To stop intercepting the mobile app traffic, developers have to implement TLS/SSL certificate pinning.
Are you trusting Built-in Platform Security?
When it comes to the release of your Apps on Android and iOS platforms, are you aware about its built-in platform security?
This is because of the fact that you may have implemented security on Application level but still your mobile app can be vulnerable because of OS level issues.
Currently, both the Android & iOS platforms are having their own techniques to identify the malware apps, protecting the apps data and releasing security patches. In Android, recently it started using ‘google play protect’ to scan the apps in the mobile devices, and also from every OS update, its releasing the new libraries and options for developers to secure their mobile apps such as network configuration options from Android nougat.
For iOS, Apple is always strict right from the time of releasing the apps in app store till the time of updating its OS on each update. Both platforms have their issues, and it confirms that, you can't trust their platform security to protect your application.
Are you following secure code review?
Best way to secure your application is to implement security from development phase itself. Developers are moving to agile, devops and waterfall models for rapid release, which results in more security issues in the application. With these software development practices, security testing is executed quickly and has given less time to security testers for performing security testing.
To overcome these issues, Organisations have to start doing secure code review in the development phase itself.
Follow the below practices in your SDLC:
- Perform the Risk Assessment on the application to identify risk profiles.
- Create a security requirement based on the collected functional requirements. To create security requirement, you can follow OWASP, CERT or other secure code standards.
- Provide secure code review testing for your developers, if needed.
- Use automated tools and manual code review techniques for performing secure code review.
Are your Apps meeting the Security standards?
When organization has decided to do the security practices such as secure code review and security assessment, they have to follow flawless approaches. If not, they are still vulnerable. When you have decided to do security practices, always follow the industry standards and methodologies. To find the mobile app vulnerabilities and to use it in development phase, you can incorporate the standards like OWASP, CWE, ZTF (Zero Trust Framework) for mobile and NCDRC’s MAST.
Are you using 3rd party libraries?
Most of mobile application needs third party libraries to create an app or are purely based on other development frameworks like Xamarin, cordova, etc. If used libraries or frameworks have any vulnerability which will affect the whole application security, then attacker can use this flaw to compromise the user. Hence, don’t blindly trust the libraries or frameworks security while implementation. Make sure the used libraries or frameworks version are up to date and from trusted sources.
Is your data stored safely?
Most of the security measures can be easily bypassed if the data is not stored properly. Most of Mobile Application has the requirements to save user data or preferences of the apps in their private directories, but are we doing it correctly? It’s a doubt only because security measures like authentication, authorization and certification pinning are preventing identify theft, Broken access control, privilege escalation and other attacks, but it can be simply be achieved by changing or capturing the preference files in the app’s private data.
The following are some areas that OWASP mobile security project has listed for developers to focus more:
- SQL databases;
- Log files;
- XML data stores ou manifest files;
- Binary data stores;
- Cookie stores;
- SD card;
- Cloud synced.
To save the data securely in android and iOS, each platform is giving more options. Developers have to encrypt the data which is locally stored in db, xml files and also process the user data in API with backend and reduce to store the user data in local.
Have you deployed tamper detection or RASP in your mobile apps?
When we are taking a survey of mobile application attacks, most of the times it is achieved from package level itself by doing reverse engineering attack and repacking the apps as a second doing run-time level attacks such as tampering values. So by implementing tamper detection or RASP in your mobile apps, they will increase the complexity to analyse and attack the apps by attackers. Organisations can implement code cert signing verification, RASP solutions to prevent from runtime attacks and tamper detection for preventing from repacking the apps and preventing app running from jail break/rooted phones.
Are you doing security testing before releasing the apps?
If yes, it means that your concerned about security. If not, then your app’s and user’s security are at risk by intruders. Organisation should do the security testing before releasing the apps in production environment. Also it’s important to do the security testing after releasing in the production environment because it gives testers a full potential to do the testing from the attacker perspective, and the testing results will expose the external attack vectors.
Are you secure against authentication and authorization attacks?
Authentication and Authorization are the two areas which needs more focus to secure and that’s why it’s being listed in the OWASP mobile TOP 10 2016 attacks. Both the mechanisms are important for mobile app security because if one of them failed then it leads to total takeover of an user account. For authentication, developers have to implement security practices like password policy, preventing brute force attacks to cover the authentication areas like forgot password, login page, changing password and so on. Implementing two factor/Multi factor authentication helps to protect against authentication attacks, by having OTP login or verification code to mails and with biometrics.
Now a days, mobile applications are purely dependent on API for its Authentication and Authorization, so if API is weak then your App is not secure. Implement Access controls mechanisms over APIs as well. Do a separate assessment for API security. Is your users using patched version or not?
When you are releasing the application updates with security patches, make sure it reaches all the end users before hacker makes a move because they look for apps that don’t release security updates. However, users updating the apps can vary and take some time to reach all users. So make sure the users to update the apps that contain critical patches.
So these are some of the best practices that developers can follow to secure their mobile applications and these should be done properly. Organizations should focus more on mobile application security as given towards web application because people are interacting with the app using mobile app more when compared to the web application.
Now a days, there is a growing indication of mobile hacking threats and they are for sure to be proliferated in the far and near future as malicious Hackers wont rest until they trap all the needed information in their nest. So what are we going to do and how can we ensure the certainty of our CIA???
To find best remedy on this, you can approach a top information security company like Briskinfosec for ensuring the protection and the strengthening of your security systems. We at Briskinfosec, work with a dedicated team of reputed security engineers, whom strive with perseverance for establishing top notch security not just to acme but to paracme.
We have rectified various security issues that existed in mobile applications and also, other mobile security related issues that were faced by companies. With cult fervour and with a loyal approach towards security testing, we reduced the bugs and thus excelled with a glory that has been spread to other companies as a laudable story.
Unlike other firms, we don’t follow the standards blindly. We have our own methodology - MAST (Mobile Application Security Testing) framework alongside with other legitimate frameworks for producing best results. Feel free to approach us anytime by accessing our official website www.Briskinfosec.com for procuring panacea against cyber threats.